I am using Rackspace Cloud Files as File Storage server for my application. The files that users upload must be authorized from within my application, then from a controller it would redirect to the correct Rackspace Cloud Files CDN URL. I am trying to do authorization using Rackspace Cloud Files' Referrer ACL.

So let me just add a very simple snippet to clarify what I am trying to accomplish.

So with the CloudFiles gem I have set up an ACL Referrer regular expression that should work.

http\:\/\/.+\.domain\.com\/projects\/\d+\/files\/\d+\/download

When the user clicks on a link in the web UI, it routes them to the above URL and depending on the parameters, it will from the download action redirect the user to the correct Rackspace Cloud Files File URL.

Well, what I get is an error, saying that I am unauthorized (wrong http referrer). I have a hunch that because I am doing a redirect from the download action straight to cloud files, that it doesn't "count" as a HTTP Referrer and, rather than use this URL as a referrer, I think it might be using this URL:

http\:\/\/.+\.domain\.com\/projects\/\d+\/files

Since this is the page you are on when you want to click on the "download" link, that directs the user to the download action in the FilesController.

When I set the HTTP Referrer for Rackspace ACL to just this:

http\:\/\/.+\.domain\.com\/projects\/\d+\/files

And then click on a link, I am authorized to download. However, this isn't safe enough since then anyone could for example just firebug into the html and inject a raw link to the file and gain access.

So I guess my question is, does anyone have any clue how or why, what I am trying to accomplish is not working, and have any suggestions/ideas? As I said I think it might be that when a user clicks the link, that the referrer is being set to the location of which the file is being clicked, not the url where the user is being redirected to the actual file on cloud files.

Is something like this possible?

class FilesController < ApplicationController
def download
# Dynamically set a HTTP Referrer here before
# redirecting the user to the actual file on cloud files
# so the user is authorized to download the file?
redirect_to(some_url_to_a_file_on_cloud_files_url)
end
end

I actually went with Amazon S3 rather than Rackspace Cloud Files for a couple of reasons. But the one relating to the topic above would be that it is extremely simple to add authorization to Amazon S3 in Ruby on Rails with the Paperclip gem. Basically what you have is a private bucket and you use Paperclips expiring_url method to generate a unique key for every download and expire it within a couple of seconds. A very simple, fast and secure solution to the problem above. Authorization can be done in the application layer that way.
–
Michael van RooijenOct 31 '10 at 10:51

2 Answers
2

Generally Micahel's comment is more than enough to explain why S3 tops rackspace for this matter, but if you'd really like to add some special HTTP headers to your Rackspace request - do an HTTP request of your own and fetch the file manually: